Create OneBranch Pipeline to build and release snap packages (#107)

Author: TravisEz13

.config/tsaoptions.json

@@ -0,0 +1,11 @@
+{
+    "instanceUrl": "https://msazure.visualstudio.com",
+    "projectName": "One",
+    "areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell\\PowerShell Core",
+    "notificationAliases": [
+        "[email protected]",
+        "[email protected]",
+        "[email protected]",
+        "[email protected]"
+    ]
+}

.pipelines/PowerShell-Snap-Official.yml

@@ -0,0 +1,97 @@
+
+parameters:
+- name: release
+  type: string
+  displayName: |
+    Use `stable` to release by default.
+
+    Use `private` if you want to create a branch on the store to test the package.
+    This will create a branch under the edge branch automatically that are difficult, but not impossible to find.
+
+    `candidate`, `beta`, and `edge` are public but we don't have any existing meaning for these channels.
+  values:
+      - private
+      - stable
+      - candidate
+      - beta
+      - edge
+  default: stable
+
+trigger: none
+
+variables:
+  - name: CDP_DEFINITION_BUILD_COUNT
+    value: $[counter('', 0)] # needed for onebranch.pipeline.version task 
+  - name: LinuxContainerImage
+    value: mcr.microsoft.com/onebranch/cbl-mariner/build:2.0 # Docker image which is used to build the project 
+  - name: DEBIAN_FRONTEND
+    value: noninteractive
+  - group: poolNames
+
+resources:
+  repositories:
+    - repository: templates
+      type: git
+      name: OneBranch.Pipelines/GovernedTemplates
+      ref: refs/heads/main
+
+extends:
+  template: v2/OneBranch.Official.CrossPlat.yml@templates
+  parameters:
+    git:
+      fetchDepth: 1
+      # windows only feature
+      #longpaths: true
+      retryCount: 3
+      # we don't use this and some of our agents doesn't have the feature installed
+      lfs: false
+    cloudvault: 
+      enabled: false # set to true to enable cloudvault
+      runmode: stage # linux can run CloudVault upload as a separate stage
+      dependsOn: linux_build
+      artifacts:
+        - drop_linux_stage_linux_job
+    customTags: 'ES365AIMigrationTooling'
+    globalSdl:
+      disableLegacyManifest: true
+      # disabled Armorty as we dont have any ARM templates to scan. It fails on some sample ARM templates.
+      armory:
+        enabled: false
+      sbom:
+        enabled: true
+      compiled:
+          enabled: false
+      credscan:
+        enabled: true
+        scanFolder:  $(Build.SourcesDirectory)
+      cg:
+        enabled: true
+      asyncSdl: # https://aka.ms/obpipelines/asyncsdl
+        enabled: true
+        forStages: [scan_lts, scan_stable, scan_preview]
+        credscan:
+          enabled: true
+          scanFolder:  $(Build.SourcesDirectory)
+          #suppressionsFile: $(Build.SourcesDirectory)\PowerShell\.config\suppress.json
+        binskim:
+          enabled: false
+        # APIScan requires a non-Ready-To-Run build
+        apiscan:
+          enabled: false
+        tsaOptionsFile: .config\tsaoptions.json
+
+    stages:
+    - template: /.pipelines/templates/releaseBuildAndPushStage.yml@self
+      parameters:
+        channel: stable
+        release: ${{ parameters.release }}
+
+    - template: /.pipelines/templates/releaseBuildAndPushStage.yml@self
+      parameters:
+        channel: preview
+        release: ${{ parameters.release }}
+
+    - template: /.pipelines/templates/releaseBuildAndPushStage.yml@self
+      parameters:
+        channel: lts
+        release: ${{ parameters.release }}

.pipelines/templates/Approval.yml

@@ -0,0 +1,31 @@
+parameters:
+    - name: displayName
+      type: string
+    - name: instructions
+      type: string
+    - name: jobName
+      type: string
+    - name: timeoutInMinutes
+      type: number
+      # 2 days
+      default: 2880
+    - name: onTimeout
+      type: string
+      default: 'reject'
+      values:
+          - resume
+          - reject
+
+jobs:
+    - job: ${{ parameters.jobName }}
+      displayName: ${{ parameters.displayName }}
+      pool:
+        type: agentless
+      timeoutInMinutes: 4320 # job times out in 3 days
+      steps:
+      - task: ManualValidation@0
+        displayName: ${{ parameters.displayName }}
+        timeoutInMinutes: ${{ parameters.timeoutInMinutes }}
+        inputs:
+          instructions: ${{ parameters.instructions }}
+          onTimeout: ${{ parameters.onTimeout }}

.pipelines/templates/InstallSnapd.yml

@@ -0,0 +1,11 @@
+steps:
+
+  - bash: |
+        sudo apt update
+    displayName: Apt Update
+    condition: succeeded()
+
+  - bash: |
+        sudo apt-get -y install snapd
+    displayName: Install snapd
+    condition: succeeded()

.pipelines/templates/createOutputDirectory-linux.yml

@@ -0,0 +1,6 @@
+steps:
+
+  - bash: |
+        mkdir -p -m a=rwx $(ob_outputDirectory)
+    displayName: Create $(ob_outputDirectory)
+    condition: succeeded()

.pipelines/templates/pushJob.yml

@@ -0,0 +1,111 @@
+parameters:
+  - name: channel
+    type: string
+  - name: release
+    default: 'private'
+
+jobs:
+- job: push
+  displayName: Push to ${{ parameters.release }}
+
+  pool:
+    type: linux
+    isCustom: true
+    name: $(ubuntuPool)
+    demands:
+      - ImageOverride -equals PSMMSUbuntu20.04-Secure
+
+  variables:
+    - name: ReleaseTag
+      value: edge/default
+    - group: SnapLogin
+    - name: channel
+      value: ${{ parameters.channel }}
+    - name: ob_outputDirectory
+      value: '$(Build.ArtifactStagingDirectory)/out'
+    - name: DOWNLOAD_DIRECTORY
+      value: '$(Build.ArtifactStagingDirectory)/down'
+
+  steps:
+    - checkout: self
+      lfs: false
+
+    - template: ./createOutputDirectory-linux.yml
+
+    - task: DownloadPipelineArtifact@2
+      displayName: 'Download build files'
+      inputs:
+        targetPath: $(DOWNLOAD_DIRECTORY)
+        artifact: drop_build_$(channel)_build_$(channel)
+
+    - pwsh: |
+        $snaps = Get-ChildItem $(DOWNLOAD_DIRECTORY)/*.snap -recurse -File
+        if($snaps.Count -gt 1)
+        {
+          $snaps | out-string -width 100 | Write-Verbose -verbose
+          Write-Error "***More than one snap found***" -errorAction stop
+        }
+      displayName: Verify that only one snap was downloaded
+
+    - pwsh: |
+        [string]$Branch=$env:BUILD_SOURCEBRANCH
+        $branchOnly = $Branch -replace '^refs/heads/';
+        $branchOnly = $branchOnly -replace '[_\-]'
+
+        if('${{ parameters.release }}' -eq 'private') {
+          if($branchOnly -eq 'master' -or $branchOnly -like '*dailytest*')
+          {
+              Write-verbose "release branch: $branchOnly" -verbose
+              $generatedBranch = ([guid]::NewGuid()).ToString().Replace('-','')
+              $releaseTag = "edge/$generatedBranch"
+          }
+          else
+          {
+              Write-verbose "non-release branch" -verbose
+              # Branch is named <previewname>
+              $releaseTag = "edge/$branchOnly"
+              $releaseTag += ([guid]::NewGuid()).ToString().Replace('-','')
+          }
+        } 
+        else {
+          $releaseTag = "${{ parameters.release }}"
+        }
+
+        $vstsCommandString = "vso[task.setvariable variable=ReleaseTag]$releaseTag"
+        Write-Verbose -Message "setting ReleaseTag to $releaseTag" -Verbose
+        Write-Host -Object "##$vstsCommandString"
+      displayName: Set ReleaseTag Variable
+
+    - pwsh: |
+          sudo chown root:root /
+      displayName: 'Make sure root owns root'
+      condition: succeeded()
+
+    - template: ./InstallSnapd.yml
+
+    - pwsh: |
+          $channel = (Get-Content ./snapcraftConfig.json | ConvertFrom-Json).channel
+          Write-Verbose -Verbose -Message "using Channel $channel"
+          sudo snap install snapcraft --classic "--channel=$channel"
+      condition: succeeded()
+      displayName: 'Install snapcraft'
+      retryCountOnTaskFailure: 2
+
+    - pwsh: |
+        $track = 'latest'
+        if('$(channel)' -eq 'lts')
+        {
+          $track = 'lts'
+        }
+
+        $snaps = Get-ChildItem $(System.ArtifactsDirectory)/*.snap -recurse -File | Select-Object -ExpandProperty FullName
+
+        foreach($snap in $snaps)
+        {
+          Write-Verbose -Verbose -Message "Uploading $snap to $track/$(ReleaseTag)"
+          snapcraft upload --release "$track/$(ReleaseTag)" $snap
+        }
+      displayName: 'snapcraft upload'
+      retryCountOnTaskFailure: 1
+      env:
+        SNAPCRAFT_STORE_CREDENTIALS: $(SNAPCRAFT_STORE_CREDENTIALS)

.pipelines/templates/releaseBuildAndPushStage.yml

@@ -0,0 +1,31 @@
+parameters:
+  - name: channel
+    default: ''
+  - name: release
+    default: 'private'
+
+stages:
+- stage: build_${{ parameters.channel }}
+  displayName: Build - ${{ parameters.channel }}
+  dependsOn: []
+  jobs:
+  - template: ./releaseBuildJob.yml
+    parameters:
+      channel: ${{ parameters.channel }}
+
+- stage: scan_${{ parameters.channel }}
+  displayName: SDL - ${{ parameters.channel }}
+  dependsOn: build_${{ parameters.channel }}
+  jobs:
+  - template: ./scanJob.yml
+    parameters:
+      channel: ${{ parameters.channel }}
+
+- stage: Push_${{ parameters.channel }}
+  displayName: Push - ${{ parameters.channel }} to ${{ parameters.release }}
+  dependsOn: scan_${{ parameters.channel }}
+  jobs:
+  - template: ./pushJob.yml
+    parameters:
+      channel: ${{ parameters.channel }}
+      release: ${{ parameters.release }}